Ubuntu
openssh package

Investigate ASLR re-randomization being disabled for children

Bug #2071815 reported by Marc Deslauriers
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
In Progress
Medium
Nick Rosbrook

Bug Description

The systemd-socket-activation.patch patch has an Ubuntu delta to fix bug 2011458, but this results in ASLR not being re-randomized for children because the patch delta does "rexec_flag = 0;".

This was discovered as part of the CVE-2024-6387 discovery by Qualys, and is mentioned in the disclosure itself:

Side note: we discovered that Ubuntu 24.04 does not re-randomize the
ASLR of its sshd children (it is randomized only once, at boot time); we
tracked this down to the patch below, which turns off sshd's rexec_flag.
This is generally a bad idea, but in the particular case of this signal
handler race condition, it prevents sshd from being exploitable: the
syslog() inside the SIGALRM handler does not call any of the malloc
functions, because it is never the very first call to syslog().

This is also mentioned in the release notes of OpenSSH 9.8:

Exploitation on non-glibc systems is conceivable but has not been
examined. Systems that lack ASLR or users of downstream Linux
distributions that have modified OpenSSH to disable per-connection
ASLR re-randomisation (yes - this is a thing, no - we don't
understand why) may potentially have an easier path to exploitation.

We should investigate why that was needed, and if an alternative way of fixing the original bug can be done.

Related branches

~enr0n/ubuntu/+source/openssh:lp-2071815
Marc Deslauriers: Pending requested
Diff: 208 lines (+46/-39)
2 files modified
debian/changelog (+12/-0)
debian/patches/systemd-socket-activation.patch (+34/-39)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Subscribing Nick, who appears to be the original delta author.

Tobias Heider (tobhe)
tags: added: rls-oo-incoming
Changed in openssh (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur)
summary: - Investigate ASLR being disabled for children
+ Investigate ASLR re-randomization being disabled for children
Revision history for this message
Julian Andres Klode (juliank) wrote :

Assigning this to Nick so we don't lose track of it and can discuss it next week

tags: added: foundations-todo
removed: rls-oo-incoming
Changed in openssh (Ubuntu):
assignee: nobody → Nick Rosbrook (enr0n)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

These might be related and might help the underlying problem:

https://github.com/openssh/openssh-portable/commit/8785491123d4d722b310c20f383570be758f8263
https://github.com/openssh/openssh-portable/commit/c0cb3b8c837761816a60a3cdb54062668df09652

Thanks

Revision history for this message
Nick Rosbrook (enr0n) wrote :

I don't think those *help*, but that's good to know for when we merge an upstream version that includes those patches.

Changed in openssh (Ubuntu):
status: Confirmed → In Progress
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.